UK Ministry of Defence Fined For Afghan Data Breach

Written by

The UK’s data protection regulator has fined the Ministry of Defence (MoD) £350,000 ($439,000) after a serious email error which could have led to loss of life.

The Information Commissioner’s Office (ICO) said the email in question was sent by the UK's Afghan Relocations and Assistance Policy (ARAP), which is responsible for helping to relocate Afghan citizens who worked for or with the UK government during allied occupation of the country.

Personal information on 245 of these individuals was accidentally exposed to all recipients because the sender used the “To” field. In the case of 55 of these people, thumbnail pictures were also visible on their email profiles. Two “replied all” to the entire list of recipients, with one providing their location, the ICO said.

Given the circumstances surrounding their relocation, lives could have been at risk had the data fallen into the hands of the Taliban, the regulator claimed.

Read more on MoD security issues: Over 2000 UK Government Devices Go Missing in a Year

An initial fine of £1m was levied by the ICO for a serious breach of the GDPR, as the MoD was judged not to have “appropriate technical and organizational measures in place.” However, this was subsequently reduced to £700,000 by the ICO, in part to reflect post-incident steps taken by the ministry.

The MoD swiftly contacted those affected, asking them to delete the email, change their email address and provide the ARAP team of their new contact details via a secure form. It also conducted an internal investigation, made a statement in parliament about the breach, and updated the ARAP’s email policies and processes. This including a “second pair of eyes” policy when sending emails to multiple external recipients.

Under the ICO’s new approach to public sector fines, the financial penalty was subsequently halved to £350,000.

However, information commissioner, John Edwards, described the incident as “egregious” and urged other organizations to learn their lessons from the breach.

“This deeply regrettable data breach let down those to whom our country owes so much,” he added.

“While the situation on the ground in the summer of 2021 was very challenging and decisions were being made at pace, that is no excuse for not protecting people’s information who were vulnerable to reprisal and at risk of serious harm. When the level of risk and harm to people heightens, so must the response.”

What’s hot on Infosecurity Magazine?